Can Australia's Proposed Data Retention Scheme Be Easily Circumvented? Depends On Who You Ask

A very polite war is going on in Canberra right now over the future of privacy on the internet in Australia. Senators are grilling department heads on whether or not the proposed data retention scheme will work in Australia. It's a war of words, where every answer matters. Today's question? Can the proposed scheme be easily dodged by Aussies? Maybe.

Yesterday, representatives from the Attorney-General's department sat down with Senators in Parliament House to chew the fat over the proposed data retention scheme, that would (if enacted) see telcos and ISPs retain your metadata for a fixed period of time to be potentially accessed by law enforcement to help catch baddies. At least, that's the pitch from the AG's department. Those on the opposite side of the House say it's ripe for abuse, and fundamentally undermines the principles of privacy online. Hence the need for hearings like the one posted above.

There are a few important questions that need to be answered when it comes to the government's proposed data retention scheme: how much will it cost, who can access the data, and can it be easily circumvented?

On the question of circumvention, the Greens and the Attorney General's staffers went head-to-head yesterday, arguing over whether or not data retention could be easily bypassed, and the answer really depends on who you ask.

Greens' Senator Scott Ludlam quizzed the AG's department yesterday on how easy it would be to skip out on having your metadata retained if you connected to a public network. Below is a brief exchange between the pair:

Senator Scott Ludlam: Are you aware of the wide variety of way in which people could accidentally circumvent data retention by, for example, using a university network or logging onto the Parliament House Wi-Fi? I'm presuming you would agree those systems would be out of scope of data retention?
Anna Harmer, Attorney General's Department: We're aware there are a number of ways in which people can conduct their communications and that they have a number of channels through which to do so.
...Senator Scott Ludlam: So if somebody logs onto the Wi-Fi in Parliament House, in this building, would the metadata be retained by anyone in particular, or would that be out of scope of the National Data Retention Regime?
Anna Harmer, Attorney General's Department: Two specific exemption in the Bill may be relevant...there are particular exemptions for service that are provided in a same place, and ones provided to an immediate circle. The immediate circle ones wouldn't be applicable here. The immediate circle ones apply to entities such as universities...or corporate networks where a company provides its services to its employees but it might be across multiple sites. It's not broadly available to the public.
So there's also an exemption for same area or same place, which ensures that there is not an obligation placed in respect of services provided at a specific location, and the effect of that...would be that the Wi-Fi you might access through a chain coffee store or something like that, a data retention obligation would not fall on the person offering that service.
That's not to say that there wouldn't be data collected because there are telecommunications services who are providing data, but the individual coffee shop provider does not need to disaggregate the data in respect of his or her individual customers, but there is still data collected in relation to the use of that telecommunication service. Ultimately, the coffee shop owner is a customer of the telecommunications provider.
Senator Scott Ludlam: So what about Parliament House or a public library?
Anna Harmer, Attorney General's Department: The data retention obligations would apply to a service provider...who is providing a service to a particular customer and in respect of a public library venue, the data retention obligations apply to the carrier or carriage service provider who is providing the end customer service to that library. The library itself does not have to break it down.
Senator Scott Ludlam: Who has to keep track of who's logged on to the free Wi-Fi at a public library? Anybody or nobody?
...
Anna Harmer, Attorney General's Department: In relation to the individual usage of [the Wi-Fi], the library does not have to keep individual logons.
Senator Scott Ludlam: But then neither does the service provider they purchase the service from?
The service provider needs to keep the elements of the data set in respect of their provision of the service: the information about that subscriber — being the library — and the period over which that is used and the information about the individual communications that are carried.
Senator Scott Ludlam: What that tells to me is that if you want to avoid the national data retention scheme you're seeking to impose, you use the internet at a library or come to Parliament House or go to a free council hotspot or go to public transport?
Anna Harmer, Attorney General's Department: I don't think it tells you that, but it does tell you that aggregation occurs at a high-level and as I said...I'd be reluctant to comment on the techniques security agencies use to support their investigations.
...
They would be caught, the question is by whom. [The scheme] does not impose a new obligation on all persons who provide access to their free Wi-Fi to their customers to now log their individual customers and be accountable and respond to data authorisations.
Senator Scott Ludlam: So that tells me it wouldn't be caught if it's a university Wi-Fi on campus, for example: that means nobody is responsible for monitoring and aggregating and providing later all that traffic.
Anna Harmer, Attorney General's Department: The service provider still has an obligation in relation to their provision of the service to the university.
Senator Scott Ludlam: So they're going to be running a mail server or a router for free Wi-Fi, the only thing going back to Telstra or NBN Co in this instance is bulk traffic farmed out, not who it went to or what traffic it was for.
Anna Harmer, Attorney General's Department: I'm nodding because I'm not sure how much I can add without getting into some tricky territory and I'm reluctant to speak on behalf of agencies but it is correct to say that there is no obligation in respect to the hypothetical university or coffee shop...that maybe providing its Wi-Fi service to its customers...there is no obligation placed on those entities to record the individual use of that service by the individual people who come into that network. There remains a case where carriage service providers can retain data in relation to the provision of service to those institutions.
The question is I suppose is there a level of aggregation? While I think there are some limitations associated with that...it is nevertheless the fact that there is data that's available, the question is the additional steps that a law enforcement agency will need to take to make that data useful and intelligible to them.

The crux of the Senator's questioning yesterday comes down to who is classed as a commercial service provider under the proposed data retention scheme. Would public Wi-Fi providers such as universities, libraries and even Parliament House in Canberra be forced to retain data on the people who connected to the network, or would the telco providing the service to that location retain a limited number of records on those who used the hotspot?

Again, the effectiveness of data retention seems to come down to who you ask. The Government and its spooks will tell you it's a necessary tool, whereas privacy advocates and tech experts would argue it's expensive, easily evaded and needless. The bottom line, however, is that there are still questions over its effectiveness, which means that it can't be rushed.

Comments

His argument is that if you're doing something that you don't want to be tracked to you, log into a public service or a service not registered to you.
Which then brings into question the necessity of data retention.. It's not much use to retain data that you cannot link to an individual.

My first thought on that is that it might still be possible if they're able to "fingerprint" an individual device and subsequently crossmatch timestamps of an infringing device against security footage to identify the individual.

To by pass simply use a encrypted VPN connection widely available on the web. ISIS and most other terrorist groups are very tech savvy. Spending all this money on something that can be bypassed is dumb unless your motives go beyond national security?

Yeah, I'm not in favour of mandatory data retention, but I can see why they want it.
You don't need a direct 'smoking gun with fingerprints on it' link to an identifiable user for the data to be useful.

If you get an example of a convincing threat that needs to be checked out or anecdotal evidence from a source (eg: publicly-accessible chatrooms/forums) that you need to work backwards from to find who was responsible, knowing a general area is helpful. It helps you narrow your search.

Similar to poison pen stuff, back in the day. Postmarks on letters told authorities which post office something dangerous/threatening was mailed from, and they'd work from there. This seems to be the same kind of thing. Detective work needs clues, and metadata provides that.

(Edit: The usefulness is debateable... after all, ask any statistician: someone logging onto a network to send some data doesn't mean they live or work in that area or that they have used that network in the past or will again. It just means that they used that network to send some data. However, a detective will tell you that the odds are pretty good that the suspect has not gone too far out of their way to drop red herrings for basic communications, especially if it's frequent, so it's a better lead than nothing.)

Looks like the bottom line is that metadata alone can never be "proof"
It can help find other proof i guess.

The situation also applies to normal home wifi....
Here's an example. I was at a mates place on sunday for some board games. he has a large family and there were 6-7 friends there. I noticed my laptop wasn't connecting to the wifi. I also noticed my phone was on the wifi. I took my phone off, and my laptop connected. So basically his router had reached some sort of limit. Doesn't really matter but my point is there would have been at least 20 devices connected to that router. At least 6 or 7 of those would have been completely unrelated to who lived there.
So if I looked up something naughty and the feds bust in, they'd have no way of knowing which of the 12 people in the house had done something wrong.

Of course now they can search individual devices and investigate the people present individually but the point is that meta data alone tells them very little.

OK so people who want to conduct illegal business over the internet can bypass these measures, leaving the rest of the country with our privacy ripped away, tell me why are we proposing these new laws?

Because George Brandis is an idiot, that's why. Most people I know will be subscribing to a VPN the moment this law comes down (which I still doubt will occur - due to its idiocy) - that's if they haven't already, of course. When Conroy had a chubby over that filter of his I doubted it would happen - it didn't. The only way the Brandis Internet Microscope will make it is if he continues to be an idiot and no one in parliament has the guts to tell him.

Frankly, the decisions this government has made - NBN (worse internet at almost the same cost, AND will need to be replaced soon), Data Retention (increased cost for Government, ISPs and their customers for zero security gains), Paid Parental Leave (now abandoned), Medicare Co-Pay (abandoned) and the reduced medical consultation rebate (abandoned), among an increasing list of others provides yet more evidence that just being Liberal does not automatically make you better with the economy - as if that was ever really a thing.

Not going to get drawn into political debate, but the current status of the NBN is largely caused by the previous Labor government.

The Liberal party hasn't even begun rolling out it's FTTN solution, it's still in the testing phase I believe.

The NBN is a decade behind schedule, not due to completion until sometime in mid-late 2020's. It was that way by the time the Liberal's came to power. I would rather take the FTTN solution as a short term solution if it means we can get SOME improvement in the next 5 years.

Do it once and do it right.
Lets say its 10 billion to do FTTH (im too lazy to look up real figures)
Leys say its only 6 for FTTN

There is no speed increase for 90% of users
It STILL relies on copper which we know is a stupid idea.. rain/degradation etc
AND by the time they roll it out to some places they will be starting to rip it back up.
It will cost another 8 billion to replace the last section.
So for a total cost of 14 billion. you have no improvement. Higher costs to maintain (copper breaks more than fibre) and you make the project last longer.

Imagine a house. Put a bathroom in now and find the extra 8k
Or renovate in 2 years for a price of 20 when they have to rewire/plumb/tile
its just simpler to do it right the first time.

It's not even close to a decade since Labor even got into office let alone starting the NBN. They were elected in November 2007 and defeated by the coalition in September 2013. Even if they'd started the technical design work the first day (they didn't - NBN Co was first formed in April 2009 to build the Tasmanian test sites) they would have been going just shy of 6 years. As it is, they worked on Labor's fibre NBN for around 4 years 6 months, let's be generous and say 5 years - that makes you 200% wrong (well done, you broke the bell curve). From memory, Labor said it would take approximately 15 years to complete.

If you don't want a debate at least try to get your head around the truth.

So, despite saying you don't want a debate, everything you've said is wrong and ignores what I actually said - the CBN will cost a few billion dollars less than a full blown NBN that was planned to service almost the entire country with fibre which would not require significant additional expenditure to upgrade for decades (real decades - 10 years - not whatever version of a decade you're talking about). That's also not to mention that the CBN is very likely to deliver real world figures not much higher than Australia's current broadband figures, unlike the NBN which had committed to 1Gb/S down, 400Mb/S up (the upload rate was one of the big ones that CBN absolutely will not meet, ever).

I think my statement stands. Now, if you'd like to accurately and truthfully refute my other statements I'd be happy to have that conversation too.

You do realize DOCSIS isn't used on a solely copper based solution right (Unlike ADSL solutions)? It's used in HFC (Hybird Fibre Coaxial) solutions which are available here in Australia from Telstra and Optus (Currently DOCSIS 3.0). DOCSIS 3.0 allows ISP's an increased number of channels and allows you a 100mbps connection (Which I actually saturate).

a. The government is not investing in upgrading HFC to DOCSIS 3.1 : Mr Adcock (NBNCo) @ senate estimates verbatim:There appears to be no commercial reason to deploy DOCSIS 3.1

Still early days but it's a strong indication that this is nothing more then a cost cutting exercise (as follows the trend a posteriori, austerity budget, etc).

b. Even with this new fangled speed boost both the technology (and the article you linked) fail to mention what kind of contention is required to maintain those speeds, examples?

An FDH loop for FTTP (under the current NBN GPON design) connects 19 premises (with a max of 32). So assuming the fibre has a capacity of 2.5Gbps:
2500Mbps / 19 = 131.58Mbps per premises (100 down / 30 up).

An FTTN node services a maximum of 384 premises (192 per ISAM) with 2 fibres per ISAM at 2.5 Gbps per fibre with a max capacity of 10Gbps. Therefore:
10,000Mbps / 384 = 26.04Mbps per premises (20 down / 5 up).Why the coalition has chosen a technology that has this limitation, whole other story

HFC and Wireless have the worst contentions of all:
HFC serves between 40 and 2000 premises per node.
Wireless... Whoever is within range...

Point being what good is it if you achieved 2Gbps on one line if it had zero contention? That just means in a real world scenario it wouldnt really be 2Gbps.

Another minor issue, they cannot possibly scan the quantity of data in real time the best they will be able to do will be investigate after the fact.
This would explain France, plus as Germany discovered the increase in convictions due to data retention was 0.006%, with in the range of statisticly zero.
http://www.lawcouncil.asn.au/lawcouncil/images/2923_-_Telecommunications_Interception_and_Access_Amendment_Data_Retention_Bill_2014.pdf

Only logged in users may vote for comments!

Get Permalink

Trending Stories Right Now

TPG currently stands as the second largest internet service provider (ISP) in Australia, and is a force to be reckoned with in the telecommunications industry. Its rapid growth is mainly attributed to strategic acquisitions it has made in recent years. One of those acquisitions was iiNet, an ISP that boasted high customer satisfaction and respect in the community.
A year after TPG bought iiNet, the situation looks bleak for the ISP that was once the darling of the telco industry. Most recently, iiNet's Sydney office was shut down, most of its staff made redundant. We spoke to one former iiNet employee to get the insider story on the aftermath of the TPG acquisition. We also spoke with iiNet, to get its side of the story.

Consider the humble light globe. It hides in your ceiling, turning electricity into light, but little do you know how inefficiently it's doing that. Halogen light bulbs aren't great, but traditional incandescents are downright terrible. Ikea says that the average Aussie household could save nearly $150 a year by switching its lighting to LEDs.